Skip to main content

What Is the Worker Vault?

Each worker has a personal encrypted vault where you can store sensitive credentials like API keys, tokens, and passwords. Your worker can use these credentials during code execution without the raw values ever appearing in your conversations. Think of it like a locked filing cabinet for each employee. You put the keys in, and your worker can use them to get their job done — but they never handle the raw credentials directly.
The Vault is designed for credentials your worker needs during code execution — things like third-party API keys, database passwords, or service tokens. For tool integrations like Gmail or Slack, use Tools instead.

Why Use the Vault?

Without the Vault, you might be tempted to paste an API key directly into chat. That’s risky:
  • Credentials would be visible in conversation history
  • Anyone with access to the conversation could see them
  • There’s no easy way to rotate or revoke them
The Vault solves all of this:
Pasting in ChatUsing the Vault
Visible in conversation?✗ Yes✓ No
Encrypted at rest?✗ No✓ Yes
Easy to update or rotate?✗ No✓ Yes
Accessible during code execution?✗ Not reliably✓ Always
Never paste passwords, API keys, or tokens directly into chat. Always use the Vault. See our Security Best Practices for more on keeping your workers secure.

How to Add Credentials to the Vault

  1. Open your worker’s settings page
  2. Navigate to the Vault section
  3. Click Add Key
  4. Enter a key name (e.g., MY_API_KEY) and the secret value
  5. Save — the value is encrypted immediately
Use clear, descriptive key names like OPENAI_API_KEY, STRIPE_SECRET_KEY, or DATABASE_PASSWORD. This makes it easy to remember what each key is for.

How Workers Access Vault Keys

During code execution, vault keys are exposed as environment variables with a VAULT_ prefix. For example:
  • A key named MY_API_KEY becomes available as VAULT_MY_API_KEY
  • A key named STRIPE_SECRET_KEY becomes available as VAULT_STRIPE_SECRET_KEY
Your worker accesses them in code like this: 
import os

api_key = os.environ.get("VAULT_MY_API_KEY")
The raw value is never logged, displayed in chat, or stored in conversation history. Your worker uses the credential to make API calls or connect to services, and only the results come back to you.

When to Use the Vault vs. Tools

Spinnable has two ways to give workers access to external services:
Use CaseWhat to Use
Connecting to supported tools (Gmail, Slack, Notion, GitHub, etc.)Tools — use OAuth or API key integrations
Custom API keys for services not available in ToolsVault
Database credentialsVault
Third-party service tokensVault
Passwords for custom scriptsVault
Rule of thumb: If the service is available in Tools, connect it there. Use the Vault for everything else your worker needs during code execution.

Managing Your Vault Keys

You can update or remove vault keys at any time from your worker’s settings:
  • Update a key: Change the value when you rotate credentials — your worker’s code doesn’t need to change since it references the same key name
  • Remove a key: Delete keys your worker no longer needs
  • List keys: You can see all key names stored in the vault (values are never displayed)
When you rotate a credential (e.g., generating a new API key), just update the value in the Vault. Your worker will automatically use the new value on the next execution — no conversation or code changes needed.

Best Practices

  • One key per service — Don’t reuse the same key across different services
  • Descriptive names — Use names that clearly identify the service and purpose (e.g., SENDGRID_API_KEY, not KEY_1)
  • Rotate regularly — Update credentials periodically, especially if you suspect a compromise
  • Remove unused keys — Clean up keys for services your worker no longer uses
  • Don’t duplicate tool connections — If a tool is available in Tools, use that instead of storing raw API keys in the Vault

Quick Checklist

Before storing a credential in the Vault, ask:
  • Is this service available in Tools? If yes, connect it there instead
  • Am I using a clear, descriptive key name?
  • Does this worker actually need this credential for their job?
  • Have I removed the old credential from anywhere it was previously shared (e.g., chat messages)?

Questions?

If you’re unsure whether to use the Vault or Tools for a specific service, just ask your worker — they can check what tools are available and recommend the best approach.